Cycle session ID on login #2813
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stveit
force-pushed
the
session-id-rot
branch
3 times, most recently
from
fb59be6
to
6a85ed6
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #2813 +/- ##
==========================================
+ Coverage 57.10% 57.14% +0.03%
==========================================
Files 567 567
Lines 41275 41275
==========================================
+ Hits 23570 23585 +15
+ Misses 17705 17690 -15 ☔ View full report in Codecov by Sentry. |
stveit
force-pushed
the
session-id-rot
branch
7 times, most recently
from
f99a74c
to
7737eab
Compare
Closed
stveit
force-pushed
the
session-id-rot
branch
2 times, most recently
from
9c07866
to
d4916f8
Compare
|
The codecov complaints are irrelevant for this pr |
stveit
commented
Feb 27, 2024
hmpf
approved these changes
Feb 28, 2024
lunkwill42
requested changes
Feb 28, 2024
Does not do antyhing for logging out(i.e. removing account) just when changing from either no account to an account or from one account to another
stveit
force-pushed
the
session-id-rot
branch
from
97c62c4
to
fd4883e
Compare
this func is imported alot of places, makes no sense for this to be marked as private
have to mock away the cycle_key thingy else existing tests fail. Will probably need separate integration tests to test session ID cycling
Avoids session id changing on every request. session will still be cycled on login by the functions that directly handle login. ensure_account either just sets the request.account field to the match the already logged in user, or sets the account to be the anonymous user. Neither should trigger a session_id.
got some issues testing session stuff when the client was shared amongst all tests, maybe it got old or something as well. Getting a fresh client for each test was a lot better
Co-authored-by: Morten Brekkevold <morten.brekkevold@sikt.no>
Co-authored-by: Morten Brekkevold <morten.brekkevold@sikt.no>
stveit
force-pushed
the
session-id-rot
branch
from
fd4883e
to
19c5d84
Compare
|
|
Rebased on master to get in #2835 |
lunkwill42
approved these changes
Feb 29, 2024
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For #2804 (might not solve it fully depending on how many changes to session id we want to do)
Cycles session ID on login. Or more generally, every time a different user is made into the active account for the session, so this includes the sudo/desudo functions where the logged in account is changed.
Had some issues testing against sessions with a session scoped
clientfixture. Changing this tofunctionscoped and ensuring I get a fresh client for each test was a lot better